System and method for detecting malicious activity and classifying a network communication based on different indicator types
First Claim
1. A computerized method for detecting communications associated with a cyber-attack, comprising:
- parsing packets of a network communication to identify at least network addressing information within the packets;
performing a first analysis on the network addressing information to determine whether the network addressing information corresponds to one or more high quality indicators, each high quality indicator of the one or more high quality indicators (i) identifies a strong correlation with a malicious activity and (ii) is represented by a first value being a score generated for the high quality indicator for use in classifying the network communication;
performing a second analysis on content of the network communication other than the network addressing information to determine whether the analyzed content of the network communication corresponds to one or more supplemental indicators, each supplemental indicator of the one or more supplemental indicators (i) identifies an anomaly in the content of the network communication and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication; and
classifying the network communication as part of the cyber-attack by (i) classifying the network communication as being part of the cyber-attack when one or more values of the one or more high quality indicators exceeds a predetermined threshold without consideration of the one or more supplemental indicators, and (ii) in response to the one or more first values corresponding to the one or more high quality indicators failing to exceed the predetermined threshold, using the one or more second values representing the one or more supplemental indicators with at least the one or more first values to classify the communication as being part of the cyber-attack.
7 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of a method for detecting a cyber-attack features first and second analyzes. The first analysis is conducted on content of a communication to determine at least a first high quality indicator. The first high quality indicator represents a first probative value for classification. The second analysis is conducted on metadata related to the content to determine supplemental indicator(s). Each of the supplemental indicator(s) is represented by a probative value for classification. The communication is classified as being part of the cyber-attack when the first probative value exceeds a predetermined threshold without consideration of the corresponding probative values for the supplemental indicator(s). In response to the first high quality indicator failing to classify the network communication, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify the network communication as being part of the cyber-attack.
-
Citations
25 Claims
-
1. A computerized method for detecting communications associated with a cyber-attack, comprising:
-
parsing packets of a network communication to identify at least network addressing information within the packets; performing a first analysis on the network addressing information to determine whether the network addressing information corresponds to one or more high quality indicators, each high quality indicator of the one or more high quality indicators (i) identifies a strong correlation with a malicious activity and (ii) is represented by a first value being a score generated for the high quality indicator for use in classifying the network communication; performing a second analysis on content of the network communication other than the network addressing information to determine whether the analyzed content of the network communication corresponds to one or more supplemental indicators, each supplemental indicator of the one or more supplemental indicators (i) identifies an anomaly in the content of the network communication and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication; and classifying the network communication as part of the cyber-attack by (i) classifying the network communication as being part of the cyber-attack when one or more values of the one or more high quality indicators exceeds a predetermined threshold without consideration of the one or more supplemental indicators, and (ii) in response to the one or more first values corresponding to the one or more high quality indicators failing to exceed the predetermined threshold, using the one or more second values representing the one or more supplemental indicators with at least the one or more first values to classify the communication as being part of the cyber-attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer implemented method for detecting a cyber-attack, comprising:
-
performing a first analysis on an uniform resource locator (URL) included as part of a network communication to determine whether the URL corresponds to at least a first high quality indicator, the first high quality indicator (i) identifying a strong correlation with a malicious activity and (ii) being represented by at least a first probative value being a score generated for the first high quality indicator for use in classifying the network communication; performing a second analysis on metadata related to the URL included as part of the network communication to determine whether the analyzed metadata corresponds to one or more supplemental indicators, each of the one or more supplemental indicators being represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication; and classifying the network communication including the URL as part of the cyber-attack by (i) classifying the network communication as being part of the cyber-attack when the first probative value exceeds a predetermined threshold without consideration of the corresponding probative values associated with the one or more supplemental indicators, and (ii) in response to the first high quality indicator failing to classify the network communication, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify the network communication as being part of the cyber-attack. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. A system for detecting a cyber attack, comprising:
one or more processors; a memory communicatively coupled to the one or more processors, the memory includes a recommending engine that, when executed by the one or more processors, is configured to perform a first analysis on network addressing information of packets of a network communication to determine whether the network addressing information corresponds to one or more high quality indicators, each high quality indicator of the one or more high quality indicators (i) identifies a strong correlation with a malicious activity and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication, a supplemental indicator generator that, when executed by the one or more processors, is configured to perform a second analysis on content of the network communication other than the network addressing information to determine whether the analyzed content of the network communication corresponds to one or more supplemental indicators, each supplemental indicator of the one or more supplemental indicators (i) identifies an anomaly in the content of the network communication and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication, and a classifying engine that, when executed by the one or more processors, is configured to classify the network communication as part of the cyber-attack by at least (i) classifying the communication as being part of the cyber-attack when at least the first value, representing at least the one or more high quality indicators exceeds a predetermined threshold without consideration of the one or more second values of the one or more supplemental indicators, and (ii) in response to the one or more first values falling below the predetermined threshold, using the one or more second values representing the one or more supplemental indicators with at least the one or more first values to classify the communication as being part of the cyber-attack. - View Dependent Claims (25)
Specification